We have released LibreSSL 2.1.6, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release primarily addresses a number of security issues in coordination
with the OpenSSL project.
Fixes for the following issues are integrated into LibreSSL 2.1.6:
* CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
* CVE-2015-0287 - ASN.1 structure reuse memory corruption
* CVE-2015-0289 - PKCS7 NULL pointer dereferences
* CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
* CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
The patch for this issue is integrated in LibreSSL 2.1.6:
* CVE-2015-0207 - Segmentation fault in DTLSv1_listen
LibreSSL is not vulnerable, but the fix was safe to merge.
The following issues were addressed in earlier LibreSSL releases:
* CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
* CVE-2015-0292 - Fault processing Base64 decode
Fixed in LibreSSL 2.0.0
* CVE-2015-1787 - Empty CKE with client auth and DHE
Fixed in LibreSSL 2.0.1
The following issues did not apply to LibreSSL 2.1.6:
* CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
Affected code is not present.
* CVE-2015-0290 - Multiblock corrupted pointer
Affected code is not present.
* CVE-2015-0208 - Segmentation fault for invalid PSS parameters
Affected code is not present.
* CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
Affected code is not present.
* CVE-2015-0285 - Handshake with unseeded PRNG
Cannot happen by the design of the LibreSSL PRNG.
This release also enables the building of libtls by default, as the API and ABI
are declared stable within the LibreSSL 2.1.x series. Further changes to
libtls will resume with LibreSSL 2.2.x.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.